Michaels Stores Wrestling With Unusual Fraud Event

Credit unions in 20 states will want to pay particular attention to their fraud alerts and protections after the Michaels retail chain announced they had experienced an ongoing card data breach.

The states where the breach occurred included Colorado, Delaware, Georgia, Iowa, Illinois, Massachusetts, Maryland, North Carolina, New Hampshire, New Jersey, New Mexico, Nevada, New York, Ohio, Oregon, Pennsylvania, Rhode Island, Utah, Virginia and Washington.

The retailer, which specializes in arts and crafts, has remained very quiet about the breach, citing the ongoing investigation, but has reported that it is somewhat unusual in that it appears the retailer's PIN pad terminals at points of sale were tampered with and compromised.

Other breaches have involved hacking into computer networks or servers. Tampering with PIN pads or skimming at ATMs generally happen in cases of one or two pads or ATMs in a given location.

The retailer first went public in the Chicago area with news about the breach on May 4 after law enforcement authorities contacted the firm with suspicions about a card data breach. Subsequent investigation found the PIN pad tampering in the Chicago stores and then discovered that the tampering had spread far and wide.

“Michaels has identified less than 90 individual PIN pads (or approximately 1% of the total devices) in its 964 US stores that showed signs of tampering,” the Irving, Texas-based company said in its most recent statement. “Suspicious PIN pads were disabled and quarantined immediately. Out of an abundance of caution, Michaels has removed approximately 7,200 PIN pads comparable to the identified tampered PIN pads from its U.S. stores.”

The company announced that it has begun replacing these PIN pads in all U.S. stores and expects the replacement to be completed within the next 15 days. “Until the new upgraded PIN pads are installed, customers may have their credit and signature debit transactions processed on the store register. As an additional precaution, Michaels is screening all PIN pads in Canadian stores,” the retailer added.

The company has not yet said if it was compliant with the industry's PCI data security standards at the time of the breach. According to card executives, no retailer has been breached while being compliant with the standards.

A spokesman for PSCU Financial Services said the processing CUSO had seen fraud cases linked to the breach but that, so far, the fraud they had seen had been restricted to five or six CUs in the Chicago area.

But an executive with the CUSO stressed that authorities there were still waiting for more information to come in. “We won't see card numbers from the other cases [the retailer has revealed] until later this week, so I am not drawing any conclusions based on the [small number of fraud reports so far],” said Steve Ruwe, a former executive with Visa and now PSCU's chief risk officer.

Card security experts are scratching their heads over the Michaels breach, in part because it took place across multiple states and multiple venues. That suggests that someone could have gone from store to store to tamper with the PIN pads, a process which seems very risky, time consuming and a lot of work. Or the thieves managed to hack into Michaels PIN pads in the Chicago area, insert some malware to allow the thefts and then figured out how to move the malware from pad to pad across the company. But if that was the case, why didn't they infect all the stores’ PIN pads?

But sources familiar with the investigation say that investigators are focusing on what they call a point-of-sale swap fraud, in which fraudsters will actually swap out compromised point of sale pads for good ones and then return in two or three days to pick them up, now filled with consumer data. Once they have card data and PIN, the fraudsters will drive to another community and use the data at ATMs or POS terminals in that location.

Ruwe also noted that the Michaels case was unusual in that the retailer stepped forward fairly quickly after it had determined there was a problem. “You don't often see that,” Ruwe said.